HTTPS performance issue with opkg (Was: [PATCH 3/3] build: switch VERSION_REPO to HTTPS)
Daniel Golle
daniel at makrotopia.org
Tue Sep 15 04:23:50 EDT 2020
On Tue, Sep 15, 2020 at 08:49:51AM +0200, Baptiste Jonglez wrote:
> On 27-08-20, Paul Spooren wrote:
> > The variable VERSION_REPO is used by opkg to download package(list)s.
> > Now that the default installation support encrypted HTTP opkg should
> > make use of it.
>
> I wonder what is the performance impact of this? Opkg forks a new wget
> process to download each package, so the HTTPS connection is never reused.
>
> Running a simple "time make image
> PROFILE=mikrotik_routerboard-921gs-5hpacd-15s" with the ath79/mikrotik
> imagebuilder results in a 50% increase of running time:
>
> - with HTTPS: 32 seconds
> - with HTTP: 22 seconds
>
> (timing for the second run is shown, and dl/ is cleaned up before each run)
>
> The overhead might be even more significant on a device, and the download
> server probably sees more load from the large number of key exchange.
> Anybody got any figures?
>
> With HTTPS, opkg would really need connection reuse. I don't think the
> current situation is acceptable for a stable release, if only to avoid
> high load on the download server.
I suggest to revert that change as HTTPS doesn't do us a favour here.
It prevents Web-Caches (squid and such), hurts performance and
integrity should (at least now) anyway be ensured by SHA256 of the
package contained in the ed25519 signed package list.
In my opinion HTTPS even gives users a false sense of security, as it
is up to a few hundred certification authorities to not compromise
rather than just to a few keys shipped with OpenWrt.
Plus the the complexity of the handshake, large choice of ciphers
(rather than pinning SHA256 + ed25519), ...
Even major distributions like Debian and ArchLinux make HTTPS optional
and opt-in for their package download servers.
Imho the disadvantages clearly outweight the benifits here.
>
> Baptiste
>
> > Suggested-by: Petr Štetiar <ynezz at true.cz>
> > Suggested-by: Baptiste Jonglez <baptiste at bitsofnetworks.org>
> > Signed-off-by: Paul Spooren <mail at aparcar.org>
> > ---
> > include/version.mk | 2 +-
> > package/base-files/image-config.in | 2 +-
> > 2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/version.mk b/include/version.mk
> > index 7d3c1ad640..b7f42e13bb 100644
> > --- a/include/version.mk
> > +++ b/include/version.mk
> > @@ -32,7 +32,7 @@ VERSION_CODE:=$(call qstrip,$(CONFIG_VERSION_CODE))
> > VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),$(REVISION))
> >
> > VERSION_REPO:=$(call qstrip,$(CONFIG_VERSION_REPO))
> > -VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.openwrt.org/snapshots)
> > +VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),https://downloads.openwrt.org/snapshots)
> >
> > VERSION_DIST:=$(call qstrip,$(CONFIG_VERSION_DIST))
> > VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),OpenWrt)
> > diff --git a/package/base-files/image-config.in b/package/base-files/image-config.in
> > index 4bace77db0..bfa3055cc8 100644
> > --- a/package/base-files/image-config.in
> > +++ b/package/base-files/image-config.in
> > @@ -183,7 +183,7 @@ if VERSIONOPT
> > config VERSION_REPO
> > string
> > prompt "Release repository"
> > - default "http://downloads.openwrt.org/snapshots"
> > + default "https://downloads.openwrt.org/snapshots"
> > help
> > This is the repository address embedded in the image, it defaults
> > to the trunk snapshot repo; the url may contain the following placeholders:
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list